Re: FW: PPark (was: Win 95 Question)

[Robert.Graham () NETWORKICE COM (Robert Graham)]

BTW, if you could send me tcpdump of the session, I would really appreciate
it as well.  Setting up systems to collect tracefiles is often more work
than creating the signature that detects the traffic.

Regards,
Robert Graham
CTO/Network ICE

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On
Behalf Of Russell Fulton
Sent: Monday, February 28, 2000 7:31 PM
To: INCIDENTS () securityfocus com
Subject: Re: FW: PPark (was: Win 95 Question)

On Mon, 28 Feb 2000 07:00:59 -0500 Ron Gula <rgula () network-defense COM>
wrote:

> We have not fully analyzed a live compromised PPark server in our
> lab yet. What we have not been able to determine is which IRC group(s)
> a PPark server may join? The list of target IRC servers has been
> published and this is the first real trace of an IRC "USER" event, but
> it would also be useful to see some packet traces of the entire session.

Hmmm... I have been analysing our argus logs for machines that are
communicating with the IRC servers that are listed as being used by PP.
I have found a couple of possibles and I am now checking with the
owners.

I'll try and get a tcpdump of the sessions.

In the meantime I have a question:  The advirories I have seen say
Pretty Park can be used for remote control but none of them say what
ports/mechanisms are used -- is it done via IRC?

Russell.